Woods Lonergan PLLC Announces Investigation into Aflac Insurance Data Breach for Potential Class Action Lawsuit

Posted on
By James Woods
Managing Partner
aflac insurance data breach potential class action lawsuit

NEW YORK, NY – [June 20, 2025] – Woods Lonergan PLLC, a leading complex litigation firm specializing in class action data breach lawsuits and data privacy litigation, is actively investigating a potential class action lawsuit against Aflac Inc., a Fortune 500 company and the nation’s largest provider of supplemental health insurance. This investigation follows Aflac’s recent disclosure of a significant cybersecurity incident that may have exposed the highly sensitive personal and health information of its customers, beneficiaries, employees, and agents.

If you or a family member received a data breach notification letter from Aflac Inc., insurance concerning the recent cyberattack, your personal and medical information may be at risk. Contact Woods Lonergan PLLC, a leading firm in data breach litigation, to speak with one of our attorneys today at  (332) 330-3164 to speak with our Data Breach Litigation Team today.

Aflac, a company entrusted with deeply personal data from millions of policyholders across the United States, confirmed that its U.S. network was breached on June 12, 2025. While Aflac states its business operations remain functional and its systems were not affected by ransomware, the preliminary findings indicate that a sophisticated cybercrime group utilized social engineering tactics to gain unauthorized access. This incident is not isolated; it’s part of a disturbing cybercrime campaign specifically targeting the insurance industry.

The Aflac data breach potentially compromised a wide range of your most confidential information, including:

  • Names, Dates of Birth and Contact Information
  • Social Security Numbers (SSNs)
  • Claims Information
  • Personal Medical Information (diagnosis, treatment details, test results)
  • Health Insurance Information
  • Protected Health Information (PHI)
  • Other Personal Information (PII)

If you or a family member received a data breach notification from Aflac or believe your information may have been compromised in this cyberattack, your personal and medical privacy may be at severe risk. Call Woods Lonergan PLLC, a leading firm in data breach litigation, to discuss your legal options today at (332) 286-4887 to speak with our Data Breach Litigation Team today.

Details of the Aflac Data Breach: A Coordinated Cyber Crime Campaign

Aflac, an insurance conglomerate that manages the personal, medical, and financial data of over 50 million policyholders, disclosed “suspicious activity” on its U.S. network on June 12, 2025. This incident highlights a troubling trend: the insurance industry has become a prime target for sophisticated cybercrime groups. Aflac itself stated that this attack, “like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group. This was part of a cybercrime campaign against the insurance industry.”

The company’s preliminary investigation indicates that unauthorized access was gained through social engineering tactics. This method, which exploits human vulnerabilities rather than technical system flaws, often involves deceptive practices like phishing or impersonation. While Aflac has engaged leading third-party cybersecurity experts to investigate and is reviewing potentially impacted files, the full scope of the breach and the total number of affected individuals remain undetermined at this early stage. This lack of immediate clarity underscores the significant challenge victims face in understanding their exposure, and protecting their private personal information in a timely manner.

The Scattered Spider Threat: Sophisticated Social Engineering

While Aflac has not officially attributed the breach to a specific group, characteristics of this attack exhibit all the signs of a Scattered Spider operation. This highly organized cybercrime collective, also known as 0ktapus, UNC3944, or Muddled Libra, is renowned for its sophisticated social engineering attacks against high-profile organizations globally. Their tactics frequently include phishing, SIM swapping, and multi-factor authentication (MFA) bombing – techniques designed to manipulate individuals into granting network access.

Notably, Google Threat Intelligence Group (GTIG) warned earlier this week that Scattered Spider has recently pivoted its focus to targeting U.S. insurance companies, following a months-long spree against retailers. This aligns directly with the Aflac incident and other recent cyberattacks experienced by insurers like Philadelphia Insurance Companies (PHLY) and Erie Insurance, which also faced outages and disruptions after detecting unauthorized network access. The pattern suggests a coordinated, industry-wide assault, raising critical questions about the cybersecurity defenses of institutions holding vast amounts of highly sensitive data.

Who Was Affected by the Aflac Data Breach?

The Aflac data breach potentially affects an undetermined but significant number of individuals whose sensitive information is held by the insurance giant. This includes, but may not be limited to:

  • Aflac Customers
  • Beneficiaries
  • Employees
  • Agents
  • Other individuals associated with Aflac’s U.S. business.

Given Aflac’s status as the largest supplemental health insurance provider in the U.S. with millions of policyholders, the scale of this data compromise could be immense. If you have or had a policy with Aflac, were a beneficiary, or worked for Aflac, and you receive a data breach notification letter from Aflac, or suspect your information was exposed, you may be an affected individual and could be eligible to join an Aflac data breach class action lawsuit.

Potential Impact on Victims of the Aflac Data Breach

The Aflac data breach, involving such a high volume of highly sensitive information, places affected individuals at significant and ongoing risk of:

  • Financial Identity Theft: Compromised Social Security Numbers (SSNs) and claims information can be exploited to open fraudulent accounts, make unauthorized purchases, and commit other forms of financial fraud.
  • Medical Identity Theft: Stolen health information can be used to obtain fraudulent medical services, prescriptions, or equipment, potentially leading to inaccurate medical records and substantial financial burdens for victims.
  • Tax Fraud: Exposed SSNs can be used to file fraudulent tax returns, leading to significant complications with the IRS.
  • Targeted Phishing and Social Engineering Attacks: The detailed personal and health information makes victims highly vulnerable to sophisticated phishing emails or social engineering schemes, designed to extract even more sensitive data.
  • Privacy Violations and Potential Blackmail: The exposure of confidential claims and health information can lead to severe privacy violations and, in extreme cases, potential blackmail.
  • Emotional Distress and Anxiety: The realization that deeply personal and private information has been exposed by cybercriminals can cause significant emotional distress, anxiety, and a profound loss of trust.

Aflac is offering free credit monitoring, identity theft protection, and Medical Shield for 24 months to those who contact their dedicated call center. While a helpful step, this does not alleviate the long-term risks associated with the exposure of such critical personal data.

Legal Claims in the Aflac Data Breach Lawsuit

Woods Lonergan PLLC’s Data Breach attorneys are focused on potential violations of law and legal claims in the Aflac data breach case, including:

  • Negligence: Aflac’s alleged failure to adequately protect highly sensitive data, its susceptibility to social engineering tactics, and any potential inadequacy in its cybersecurity measures given the value and volume of data it holds.
  • Breach of Contract: Potential implied or express breach of contracts with policyholders and other individuals to protect their confidential information.
  • HIPAA Violations: As a healthcare-related entity handling Protected Health Information (PHI), Aflac has a legal obligation under the Health Insurance Portability and Accountability Act (HIPAA) to safeguard patient data. Failures to do so can lead to significant penalties and legal actions.
  • State Data Breach Notification Laws: Violations of relevant state laws requiring timely notification and adequate data security measures. Given Aflac’s nationwide reach, this could involve numerous state statutes.
  • Other Potential Claims: Depending on the specific circumstances and applicable state laws, additional claims may be possible as our investigation uncovers more details.

“The Aflac data breach, particularly its suspected link to the Scattered Spider cybercrime group and the use of social engineering, underscores a critical failure in protecting highly sensitive information,” said Jim Woods, Managing Partner of Woods Lonergan PLLC. “Insurance companies are custodians of some of our most intimate data, from health and financial records to Social Security numbers. When such data is compromised, it has profound and lasting consequences for victims. Our firm is dedicated to holding Aflac accountable and securing just compensation for those harmed by this breach.”

What to Do If You Were Affected by the Aflac Data Breach

If you received a data breach notification from Aflac or suspect your information may have been compromised in the Aflac cyberattack, taking proactive steps is crucial:

  • Review the Notification: Carefully read any communication from Aflac to understand which specific types of your personal information were exposed.
  • Monitor Financial Accounts and Credit Reports: Closely scrutinize all financial statements, credit card activity, and your credit reports for any unauthorized or suspicious transactions. You are entitled to a free credit report annually from each of the three major credit bureaus.
  • Consider a Fraud Alert or Credit Freeze: Placing a fraud alert makes it harder for identity thieves to open new accounts in your name. A credit freeze offers stronger protection by restricting access to your credit report altogether.
  • Change Passwords: Update passwords for all online accounts, especially those linked to your Aflac policy or that use similar credentials. Use strong, unique passwords and consider using a password manager.
  • Be Vigilant Against Phishing Attempts: Be highly suspicious of unsolicited emails, texts, or calls, as cybercriminals may use the stolen data to craft targeted phishing or social engineering attacks. Do not click suspicious links or provide personal information.
  • Consult Legal Professionals: To understand your full rights and potential legal recourse, contact experienced data breach attorneys. Joining an Aflac data breach class action lawsuit can be an effective way to seek compensation for damages, including financial losses, emotional distress, and the value of your compromised private information.

Contact Our Class Action Data Breach Litigation Lawyers

If you or a family member received a Data Breach Notification from Aflac concerning the recent cyberattack, your personal and medical information may be at risk. Contact Woods Lonergan PLLC, a leading firm in data breach litigation, to discuss your legal options. Please Call Woods Lonergan PLLC today at (332) 286-4887 to speak with our Data Breach Litigation Team today. Our experienced data breach lawyers are ready to provide a confidential consultation and help you understand how to protect your rights and pursue justice.

About Woods Lonergan PLLC

Woods Lonergan PLLC is a leading New York-based litigation firm specializing in complex civil litigation, including class action data privacy and cybersecurity matters. We have a proven track record of successfully holding corporations accountable for data breaches and protecting the rights of consumers. Woods Lonergan has a proven track record of successfully holding large corporations accountable for failing to protect highly sensitive consumer data.

Citations

  • Aflac Incorporated. (June 20, 2025). Aflac Incorporated Discloses Cybersecurity Incident. PRNewswire. [Insert Official Aflac Press Release URL here]
  • Kapko, Matt. (June 20, 2025). Aflac duped by social-engineering attack, marking another hit on insurance industry. CyberScoop. [Insert CyberScoop URL here]
  • Arghire, Ionut. (June 20, 2025). Millions Impacted by PowerSchool Data Breach. SecurityWeek. [Insert SecurityWeek URL on Scattered Spider / insurance industry targeting, if available and different from the CyberScoop link]
  • ClassAction.org. (June 20, 2025). Aflac Data Breach Lawsuit Investigation. [Insert ClassAction.org URL here]

About the Author

James Woods, Managing Partner of Woods Lonergan, holds more than 25 years of experience in corporate, real estate, and business legal matters. His expertise in handling negotiations, litigation, jury trials, and all forms of alternative dispute resolution spans multiple areas, including corporate, real estate, and commercial litigation. James actively represents dozens of Cooperative and Condominium Boards and serves as counsel to many Corporate Boards. Prior to founding the firm, James proudly served as an Assistant District Attorney for Nassau County and handled both jury and bench trials. With experience that also covers sophisticated transactions and complex acquisitions, James also serves as counsel to several domestic companies in a range of industries and commercial arenas, including real estate, insurance, banking, transportation, and construction. If you have any questions about this article you can contact attorney James Woods through his biography page.

Disclaimer: The information in this article and blog post (“post”) is provided for informational purposes only, and may not reflect the current law(s) in every jurisdiction. No information contained in this post should be construed as legal advice from Woods Lonergan PLLC or the individual author(s), nor is it intended to be a substitute for legal counsel on any subject matter. Nothing herein shall be construed to create an attorney-client relationship with Woods Lonergan PLLC. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this Post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from an attorney licensed in the recipient’s jurisdiction. This post is attorney advertising.
Attorney Advertising | Disclaimer | Privacy Policy
Website developed in accordance with Web Content Accessibility Guidelines 2.1.
If you encounter any issues while using this site, please contact us: 212.684.2500